Skip to content

Latest commit

 

History

History
235 lines (143 loc) · 14.2 KB

razor-pages-authorization.md

File metadata and controls

235 lines (143 loc) · 14.2 KB
title author description monikerRange ms.author ms.custom ms.date uid
Razor Pages authorization conventions in ASP.NET Core
rick-anderson
Learn how to control access to pages with conventions that authorize users and allow anonymous users to access pages or folders of pages.
>= aspnetcore-2.1
riande
mvc
08/12/2019
security/authorization/razor-pages-authorization

Razor Pages authorization conventions in ASP.NET Core

:::moniker range=">= aspnetcore-3.0"

One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.

View or download sample code (how to download)

The sample app uses cookie authentication without ASP.NET Core Identity. The concepts and examples shown in this topic apply equally to apps that use ASP.NET Core Identity. To use ASP.NET Core Identity, follow the guidance in xref:security/authentication/identity.

Require authorization to access a page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizePage* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to the page at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

To specify an authorization policy, use an AuthorizePage overload:

options.Conventions.AuthorizePage("/Contact", "AtLeast21");

Note

An xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter can be applied to a page model class with the [Authorize] filter attribute. For more information, see Authorize filter attribute.

Require authorization to access a folder of pages

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeFolder* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to all of the pages in a folder at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path.

To specify an authorization policy, use an AuthorizeFolder overload:

options.Conventions.AuthorizeFolder("/Private", "AtLeast21");

Require authorization to access an area page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaPage* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to the area page at the specified path:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");

The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file Areas/Identity/Pages/Manage/Accounts.cshtml is /Manage/Accounts.

To specify an authorization policy, use an AuthorizeAreaPage overload:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");

Require authorization to access a folder of areas

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaFolder* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to all of the areas in a folder at the specified path:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");

The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under Areas/Identity/Pages/Manage/ is /Manage.

To specify an authorization policy, use an AuthorizeAreaFolder overload:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");

Allow anonymous access to a page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToPage* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter to a page at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

Allow anonymous access to a folder of pages

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToFolder* convention to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter to all of the pages in a folder at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path.

Note on combining authorized and anonymous access

It's valid to specify that a folder of pages requires authorization and then specify that a page within that folder allows anonymous access:

// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")

The reverse, however, isn't valid. You can't declare a folder of pages for anonymous access and then specify a page within that folder that requires authorization:

// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")

Requiring authorization on the Private page fails. When both the xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter and xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter are applied to the page, the xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter takes precedence and controls access.

Additional resources

  • xref:razor-pages/razor-pages-conventions
  • xref:Microsoft.AspNetCore.Mvc.ApplicationModels.PageConventionCollection

:::moniker-end

:::moniker range="< aspnetcore-3.0"

One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.

View or download sample code (how to download)

The sample app uses cookie authentication without ASP.NET Core Identity. The concepts and examples shown in this topic apply equally to apps that use ASP.NET Core Identity. To use ASP.NET Core Identity, follow the guidance in xref:security/authentication/identity.

Require authorization to access a page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizePage* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to the page at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

To specify an authorization policy, use an AuthorizePage overload:

options.Conventions.AuthorizePage("/Contact", "AtLeast21");

Note

An xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter can be applied to a page model class with the [Authorize] filter attribute. For more information, see Authorize filter attribute.

Require authorization to access a folder of pages

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeFolder* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to all of the pages in a folder at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path.

To specify an authorization policy, use an AuthorizeFolder overload:

options.Conventions.AuthorizeFolder("/Private", "AtLeast21");

Require authorization to access an area page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaPage* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to the area page at the specified path:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts");

The page name is the path of the file without an extension relative to the pages root directory for the specified area. For example, the page name for the file Areas/Identity/Pages/Manage/Accounts.cshtml is /Manage/Accounts.

To specify an authorization policy, use an AuthorizeAreaPage overload:

options.Conventions.AuthorizeAreaPage("Identity", "/Manage/Accounts", "AtLeast21");

Require authorization to access a folder of areas

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AuthorizeAreaFolder* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter to all of the areas in a folder at the specified path:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage");

The folder path is the path of the folder relative to the pages root directory for the specified area. For example, the folder path for the files under Areas/Identity/Pages/Manage/ is /Manage.

To specify an authorization policy, use an AuthorizeAreaFolder overload:

options.Conventions.AuthorizeAreaFolder("Identity", "/Manage", "AtLeast21");

Allow anonymous access to a page

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToPage* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter to a page at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

Allow anonymous access to a folder of pages

Use the xref:Microsoft.Extensions.DependencyInjection.PageConventionCollectionExtensions.AllowAnonymousToFolder* convention via xref:Microsoft.Extensions.DependencyInjection.MvcRazorPagesMvcBuilderExtensions.AddRazorPagesOptions* to add an xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter to all of the pages in a folder at the specified path:

[!code-csharp]

The specified path is the View Engine path, which is the Razor Pages root relative path.

Note on combining authorized and anonymous access

It's valid to specify that a folder of pages that require authorization and than specify that a page within that folder allows anonymous access:

// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")

The reverse, however, isn't valid. You can't declare a folder of pages for anonymous access and then specify a page within that folder that requires authorization:

// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private")

Requiring authorization on the Private page fails. When both the xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter and xref:Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter are applied to the page, the xref:Microsoft.AspNetCore.Mvc.Authorization.AllowAnonymousFilter takes precedence and controls access.

Additional resources

  • xref:razor-pages/razor-pages-conventions
  • xref:Microsoft.AspNetCore.Mvc.ApplicationModels.PageConventionCollection

:::moniker-end